Note: Framework checks that application uses SSL on startup then applies this header. Otherwise it does not apply.

sts {
# The time, in seconds, that the browser should remember that this site
# is only to be accessed using HTTPS. Valid time units are
# "s -> seconds", "m -> minutes", "h - hours".
# Default value is `30 days` in hours.
#max_age = "720h"
# If enabled the STS rule applies to all of the site's subdomains as well.
# Default value is `false`.
#include_subdomains = true
# Before enabling preload option, please read about pros and cons from above links.
# Default value is `false`.
#preload = false
}

Header: Content-Security-Policy (CSP)

Provides a rich set of policy directives that enable fairly granular control over the resources that a page is allowed. Prevents XSS risks.

It is highly recommended to verify your policy directives in report only mode before enabling this header. Since its highly controls how your page is rendered.

Only applied to prod environment profile.

No default values, you have to provide it.

csp {
# Set of directives to govern the resources load on a page.
directives = ""
# By default, violation reports aren't sent. To enable violation reporting,
# you need to specify the report-uri policy directive.
report_uri = ""
# Puts your `Content-Security-Policy` in report only mode, so that you can verify
# and then set `csp_report_only` value to false.
# Don't forget to set the `report-uri` for validation.
report_only = true
}

Header: Public-Key-Pins (PKP, aka HPKP)

This header prevents the Man-in-the-Middle Attack (MITM) with forged certificates.

HPKP has the potential to lock out site/users for a long time if used incorrectly! The use of backup certificates and/or pinning the CA certificate is recommended.

It is highly recommended to verify your PKP in report only mode before enabling this header

Framework checks that application uses SSL on startup then applies this header. Otherwise it does not apply

Only applied to prod environment profile.

No default values, you have to provide it.

pkp {
# The Base64 encoded Subject Public Key Information (SPKI) fingerprint.
# These values gets added as `pin-sha256=<key1>; ...`.
#keys = [
#"X3pGTSOuJeEVw989IJ/cEtXUEmy52zs1TZQrU06KUKg=",
#"MHJYVThihUrJcxW6wcqyOISTXIsInsdj3xK8QrZbHec="
#]
# The time that the browser should remember that this site is only to be
# accessed using one of the defined keys.
# Valid time units are "s -> seconds", "m -> minutes", "h - hours".
max_age = "720h"
# If enabled the PKP keys applies to all of the site's subdomains as well.
# Default value is `false`.
include_subdomains = false
# By default, Pin validation failure reports aren't sent. To enable Pin validation
# failure reporting, you need to specify the report-uri.
report_uri = ""
# Puts your `Public-Key-Pins` in report only mode, so that you can verify
# and then set `pkp_report_only` value to false.
# Don't forget to set the `report-uri` for validation.
report_only = true
}